The End for Facebook’s Security Evangelist

Image

Alex Stamos, Facebook’s chief information security officer, has publicly challenged the National Security Agency director, sparred with the media on Twitter and taken his bosses at Yahoo and Facebook to task over security issues.CreditSteve Marcus/Reuters

At times, Mr. Stamos’s outspokenness made him an asset. But it also made him a nuisance in Silicon Valley, where tech executives publicly praise a spirit of openness even as many of them become more opaque.

At Facebook, Mr. Stamos favored more disclosure about how Russian agents used the site to influence the 2016 presidential election and beyond. He also pushed for organizational changes to better prevent misinformation. But Mr. Stamos, 39, was met with resistance and now plans to leave the company just ahead of the midterm election.

“It is a hard decision, weighing the potential future good you might do in an organization vs. how likely they will let it happen,” Jeff Moss, founder of the Black Hat and DefCon cybersecurity conferences, posted about Mr. Stamos on Twitter. “Put another way ‘You can eat well or sleep well, but seldom both.’”

Facebook did not have a comment for this article and referred to Mr. Stamos’s previous comments and his posts on Twitter. On Tuesday, Mr. Stamos tweeted that Facebook executives, including the chief executive, Mark Zuckerberg, and the chief operating officer, Sheryl Sandberg, “supported the investigation and disclosure of our work, and I’m glad we put out what we found.” He did not address the disputes over the reorganization of Facebook’s security team.

Mr. Stamos, a California native and a graduate of the University of California, Berkeley, previously worked at start-ups and founded a security consulting firm in San Francisco before joining Yahoo as its chief security officer in mid-2014.

He became somewhat of a legend in 2015 when he pushed back on government efforts to weaken security. At the time, after surveillance disclosures by the former National Security Agency contractor Edward J. Snowden, Silicon Valley companies were adding anti-surveillance protections including encryption to their data centers and messaging tools. Washington accused tech companies of going too far, and the F.B.I. pressed companies like Apple to weaken their encryption or build in a government back door.

In February 2015, at a cybersecurity conference in Washington, Mr. Stamos stood up to Adm. Michael S. Rogers, the N.S.A. director, by likening the government’s requests to “drilling a hole in the windshield.” A video of the encounter went viral, making Mr. Stamos a celebrated figure in privacy and security circles.

Within Yahoo’s security team, known as the “Paranoids,” Mr. Stamos was considered an inspiration by many of its young engineers. But his vocal — at times abrasive — advocacy for privacy and anti-surveillance measures often put him at odds with Yahoo’s leadership, including the chief executive, Marissa Mayer.

Mr. Stamos had successfully campaigned for Yahoo to encrypt the data flowing through its data centers. But when he pushed for end-to-end encryption — which ensures that only the parties in a conversation can see what is being said, leaving even Yahoo unable to read it — Ms. Mayer and other executives scoffed.

Some of Mr. Stamos’s other security proposals at Yahoo, such as resetting customers’ passwords after a breach, were rejected because the added inconvenience might encourage Yahoo customers to leave.

By then, Mr. Stamos had drawn the notice of Facebook executives. Some at the social network worried aloud whether he was too much of a firebrand to join the social network, according to three current and former Facebook employees who declined to be named because of nondisclosure agreements. But others argued that his activism was a benefit for the company.

Mr. Stamos joined Facebook in June 2015. From the start, the current and former employees said, he got off on the wrong foot with some executives, including Ms. Sandberg, over how best to police the platform. Facebook was increasingly grappling with cyberattacks from countries like Iran, whose hackers were caught trying to break into the accounts of State Department employees, and from Russia, the current and former employees said.

In a statement on Monday, Mr. Stamos said his relationship with Ms. Sandberg was “productive.”

After a breach of the Democratic National Committee in June 2016, Mr. Stamos pulled together a team to investigate Russian interference on Facebook. The findings pit him against executives in the company’s legal and communications groups. While Mr. Stamos argued to disclose more, others said that by proactively disclosing what they had found, Facebook had become a target of further public ire, according to seven current and former Facebook employees.

Internally, Mr. Stamos repeatedly argued that Facebook needed to act more like a defense contractor in dealing with security, given that the social network was becoming a similar target for nation states.

In audio leaked in October to ZDNet, a tech news site, he told his security team that he explained to management “that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost.”

The tape infuriated Mr. Stamos’s bosses, according to the current and former employees. A leak investigation is continuing, two of the people said. They said some executives believed Mr. Stamos had leaked the audio himself to get Facebook to take his entreaties more seriously.

Mr. Stamos later tweeted that the audio was “not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network.”

By October, the relationship between Mr. Stamos and Ms. Sandberg had deteriorated over how to handle Russian interference on Facebook and how best to reorganize Facebook’s security team before the midterm elections, according to more than half a dozen people who work or formerly worked at the company. Mr. Stamos proposed that instead of reporting to Facebook’s general counsel, Colin Stretch, he report directly to Facebook’s higher-ups.

Instead, executives released Mr. Stamos from much of his day-to-day responsibility, employees said.

Mr. Stamos has said his remaining days at Facebook will be spent “exploring emerging risks and working on election security.”